BiB 059: Recover From Cyber Attacks & Ransomware With Dell EMC

The following is a transcript of the audio recording you can listen to in the player above.

Welcome to Briefings In Brief, an audio digest of IT news and information from the Packet Pushers, including vendor briefings, industry research, and commentary.

I’m Ethan Banks, it’s November 26, 2018, and here’s what’s happening. I had a briefing with Dell EMC last month. Dell EMC is one of the largest storage companies in the world. In this briefing, they focused on their Cyber Recovery 18.1 product.

You might be thinking, “Oh, another backup product. I already have one of those.” Sort of. Cyber Recovery is more than simply backup, and it’s more than what a decent disaster recovery plan gets you. Dell EMC points out that backup recovery is good, but can be quite slow if you need to recover a huge dataset, especially when dealing with tape. In addition, having a DR plan doesn’t mean you have a plan for recovering from a cyber attack. Disaster recovery and cyber attack recovery are different animals.

What do we mean by “cyber attack”? Dell EMC cited the infamous Petya and related attacks like NotPetya. These nasty bits of work are known as ransomware. Ransomware comes in various flavors, but in the Petya world encrypts files until you pay up while also attempting to harvest credentials and move through the network exploiting unpatched vulnerabilities.

Why is Dell EMC’s Cyber Recovery suited to address these attacks? The Cyber Recover Vault is an orchestrated Data Domain storage platform that provides an isolated copy of known good data that can be used to recover from a security breach. Let’s look more closely at each of the keywords in that definition, as that will help us understand exactly what Cyber Recovery is.

First, orchestrated. The Cyber Recovery system is, in part, a bunch of software that does the logistical heavy lifting of deciding what data is known to be good and making sure there’s a copy of it in the vault.

Second, Data Domain. Data Domain is an existing Dell EMC data protection product that’s got a pretty large install base. You need to be a Data Domain customer to use Dell EMC Cyber Recovery. Cyber Recovery leverages the ecosystem of apps and security features around Data Domain to help it do what it does and is replicating data from the Data Domain storage you’ve already got.

Third, isolated. A big part of the security value of the Cyber Recovery Vault is that it is air-gapped. That is, the vault is only online when a data replication is in progress. To perform a replication, a network interface must be brought up. Then, a trusted connection between the two environments is created. Replication runs. Then the link connecting the vault to the rest of the network is shut down, creating a virtual air-gap between the vault and the rest of the network. In that way, if your network comes under an attack, the vault should be impervious, leaving you with a known good copy of your data.

Fourth, known good. The data backed up into the vault is scanned to be sure it is good data before it is sent to the vault. Dell EMC claims that this takes the guesswork out of the restore process. The contents of the Cyber Recovery Vault are supposed to be completely trustworthy. That bit of magic is done by CyberSense, supplied to Dell EMC by a company called Index Engines. CyberSense works by scanning unstructured data and databases (Oracle, DB2, and SQL specifically) and scoring them based on an entropy engine measuring 40 different statistics. Machine learning is run to generate the score; there are no signatures involved. In effect, CyberSense is making a highly educated guess that something bad happened to a file based on the entropy score, and then replacing it with a known good copy. And that’s how you know you’ve got good files when you go to restore. If you’d never heard of the company Index Engines, I hadn’t either. But after a little homework, I found that they are well-regarded in the IT storage community. I’d take this CyberSense technology seriously.

So there you have it. The Cyber Recovery Vault is an orchestrated Data Domain storage platform that provides an isolated copy of known good data that can be used to recover from a security breach.

If you decide to install a Cyber Recovery Vault or two at your company, you’ll be engaging with Dell EMC services. They’ll help you identify the data to be protected and replicated to the vault and work on the orchestration to make sure protection is happening without too much required of the operations folks.

For more information, search for “dell emc cyber recovery.” The front page of the results should get you to the right place.

That was Briefings in Brief from the Packet Pushers. For more IT podcasts, blogs and news created for engineers, visit packetpushers.net where you can subscribe for free. And for even more great information, become a member at ignition.packetpushers.net.